************************************************* + PhotoAlbum 0.9.9 explorer.php Vulnerability + ************************************************* # Advisory by pestilence # # www.synnergy.net # |===============================================| Affected program: PhotoAlbum v0.9.9 (previous ?) System : Linux, UNIX, Windows Problem : Problem located within the explorer.php script. Discovery : pestilence@synnergy.net Discussion ---------- phpPhotoAlbum is the next generation of dynamic photo albums, distributed under GPL. This product is made by the 'Professional Web Application Development Group' and can be downloaded from http://www.phpphotoalbum.com/ Specialised features of this PHP script include: .Custom Photo Folder Messages .Multi-level Photo Albums .Graphic User Interface .Supported Most Image Types Vulnerability ------------- Any user is able to traverse a directory as a request to the script using the $folder variable. It is then possible to read any file/folder with priviledges as the httpd. For instance: http://www.phpphotoalbum.com/products/phpPhotoAlbum/explorer.php?folder=../../../../../../../etc/ .. will reveal all the files located in the specified directory. Solution -------- The vendors have been informed of the bug. Wait for the next patched version of PhotAlbum to be released. ---------------------------------------- WEB: http://www.synnergy.net ----------------------------------------